By Design: How Default Permissions on Microsoft Power Apps Exposed Millions

UpGuard Research found multiple data leaks relating to public access configuration issues on Microsoft Power Apps portals, affecting 38 million records across all portals. Data exposed included COVID-19 contact tracing details, vaccination appointments, social security numbers, employee IDs, and a wealth of names and email addresses. Among the 47 entities notified of exposure were governmental bodies like New York City, Maryland, Indiana, and private companies like Microsoft, American Airlines, and J.B. Hunt. The research highlights potential risks and exposures from third-party platforms that don’t fit into conventional vulnerability disclosure programs.